AI – Could Be the Next Hole in your Security Posture

Over the Christmas holidays, the advertisements for Alexa, Google Home and similar were about ever other commercial on television. I have to admit I don’t really see a need to ask a personal digital assistant to turn on music, add something to a shopping list or tell me what the weather is like outside – but then again, I can see the attraction for some.

If you did receive a digital assistant or are thinking of getting one please read the following article:

AI in the Workplace: How Digital Assistants Impact Cybersecurity

Digital Assistants (sometimes seen as AIs) are becoming ubiquitous in living rooms and smartphones everywhere. Now, these devices are taking the leap to the business world. With Amazon’s announcement of the Alexa for Business Platform, AIs may soon be able to assist with everything from conference calls to office supply orders. All that utility may come at the cost of security, however, since these AI devices are vulnerable to potential hacking.

Digital Assistants Enter the Business World Digital assistants have exploded in popularity over the last two years. Amazon’s Echo devices were the website’s number-one-selling product last year, and Google and Apple are eyeing increasing market shares as new developments for Google Home and Apple HomeKit close the AI gap.

Amazon has made recent moves to conquer the small business market and is the first in the burgeoning AI industry to attempt to do so. The Alexa for Business Platform brings additional functionality (Alexa’s “skills”) to offices everywhere. There are still some hurdles for the technology; lingering privacy concerns leave some businesses wondering whether the addition of a digital assistant will leave their company vulnerable to a security breach.

Digital Assistants and Security Digital assistants like Alexa, Google Assistant, and Siri use voice recognition technology as their primary interface. This means they are always listening, even when they are not in use. For a hacker, this makes any digital assistant a potential listening device, a security flaw that was proven in a report released by British security researcher Mark Barnes. With access to the microphone, corporate espionage and identity theft are real concerns.

Privacy Privacy is another major hurdle before digital assistants gain widespread adoption in the corporate world. Private data exchanges can use a protocol called end-to-end encryption, which restricts data access to just the sender and receiver.

Unfortunately, end-to-end encryption is not always the default, and many devices and programs don’t use it, leaving any collected data open to mining by third parties — Google’s Allo messaging app uses voice recognition technology without end-to-end encryption.

A team from Zhejiang University found another startling vulnerability for digital assistants using ultrasonic signals. Aptly named the DolphinAttack, the technique uses ultrasonic frequencies above the human hearing range to issue commands to nearby AIs. The attack effectively turns these devices into a backdoor, since a hacker can simply ask a device equipped with Alexa, Siri, or Google Assistant to visit a phishing website, call a phone number, or disable a web-connected security system.

Businesses are increasingly finding themselves the target for these types of attacks. In a process called “whale phishing”, hackers specifically target high-value individuals in corporate offices for phishing scams, identity theft, and more. Larger businesses are vulnerable since they offer hackers bigger targets for these types of breaches.

Protecting Your Business from Attack The Better Business Bureau’s 2017 survey of cybersecurity issues among small businesses reports that one out of five companies has been the victim of a cyber-attack. Many of these attacks can be traced to lost personal data like passwords or an employee’s identity, raising concerns for digital assistants and their potential use as listening devices.

Beyond general statistics, it’s hard to identify the frequency of hacks specifically related to digital assistants, but the vulnerabilities are hard to ignore. Web-connected devices of all types can potentially be used as entry points into secure systems; a North American casino was the victim of data theft using a Wi-Fi connected fish tank. Barnes recommends not putting smart devices in spaces where compromising information could be overheard.

If the benefits of a digital assistant outweigh the potential drawbacks, you can take steps to minimize your risk of a security breach, both physically and digitally. The Better Business Bureau’s survey shows that cyber-attacks can even come from internal employees. Implementing a prevention plan and a response plan can offer the best protection for your business.

The Future of AIs and Cybersecurity The rapid development of machine learning and voice-powered AIs points to a rapidly changing future. Chips developed by MIT hint at the development of digital assistants that no longer require a web connection to process AI-related tasks like voice recognition, potentially closing many of the security flaws these devices possess.

Whether these devices can overcome their security flaws and mainstream into the corporate world is unclear, but the rapid development of their underlying technologies indicates big changes on the horizon for offices everywhere. Some of the concerns about listening devices may also be exaggerated; as Barnes reminds readers in his article, almost all of us already have a smartphone mic in our pocket that we are okay with.